Operational Risk Management: An Evolving Discipline Operational risk is not a new concept in scope. Before attempting to define the the banking industry. Risks associated term, it is essential to understand that with operational failures stemming from operational risk is present in all activities events such as processing errors, internal of an organization. As a result, some of and external fraud, legal claims, and the earliest practitioners defined opera- business disruptions have existed at tional risk as every risk source that lies financial institutions since the inception outside the areas covered by market risk of banking. As this article will discuss, and credit risk. But this definition of one of the great challenges in systemati- operational risk includes several other cally managing these types of risks is risks (such as interest rate, liquidity, and that operational losses can be quite strategic risk) that banks manage and diverse in their nature and highly unpre- does not lend itself to the management dictable in their overall financial impact. of operational risk per se. As part of the revised Basel framework,1 the Basel Banks have traditionally relied on Committee on Banking Supervision set appropriate internal processes, audit forth the following definition: programs, insurance protection, and other risk management tools to counter- Operational risk is defined as the act various aspects of operational risk. risk of loss resulting from inadequate These tools remain of paramount impor- or failed internal processes, people, tance; however, growing complexity in and systems or from external events. the banking industry, several large and This definition includes legal risk, but widely publicized operational losses in excludes strategic and reputational recent years, and a changing regulatory risk. capital regime have prompted both While the Basel Committee’s definition banks and banking supervisors to includes what the Committee considers increasingly view operational risk to be crucial elements, each bank’s defi- management (ORM) as an evolving disci- nition for internal management purposes pline. Of particular note is the applica- should recognize its unique risk charac- tion of quantitative concepts, similar to teristics, including its size and sophistica- those used to measure credit and market tion, as well as the nature and risks, to the measurement of operational complexity of its products and activities. risk. In cooperation with industry partici- This article provides an introduction to pants, the Basel Committee has identi- operational risk, outlines the current fied the seven operational risk event state of ORM, and describes different types, shown in Table 1.2 quantification approaches in this evolv- ing field. An Evolving Banking Landscape Operational Risk Defined The operational environment for many The definition of operational risk banks has evolved dramatically in recent continues to evolve, in part owing to its years. Deregulation and globalization of 1 Basel Committee on Banking Supervision (Basel Committee), International Convergence of Capital Measure- ment and Capital Standards (the revised Basel II framework), November 2005, Paragraph 644. Available at www.bis.org/publ/bcbs118.htm. 2 The event types and abbreviated examples presented in the table appear in the Basel Committee’s Sound Practices for the Management and Supervision of Operational Risk, Paragraph 5. Available at www.bis.org/publ/bcbs86.pdf. 4 Supervisory Insights Summer 2006 Table 1 Loss Event Types and Examples Event Type Examples Internal fraud Employee theft, intentional misreporting of positions, and insider trading on an employee’s own account External fraud Robbery, forgery, and check kiting Employment practices Workers’ compensation and discrimination claims, violation of and workplace safety employee health and safety rules, and general liability Clients, products, and Fiduciary breaches, misuse of confidential customer information, business practices money laundering, and sale of unauthorized products Damage to physical Terrorism, vandalism, earthquakes, fires, and floods assets Business disruption Hardware and software failures, telecommunication problems, and and system failures utility outages Execution, delivery, and Data entry errors, collateral management failures, incomplete legal process management documentation, and vendor disputes financial services, the proliferation of new ments in data capture methods over the and highly complex products, large-scale collection period, it appears that in aggre- acquisitions and mergers, and greater use gate loss amounts have increased since of outsourcing arrangements have led to collection efforts began. For example, 20 increased operational risk profiles for participating banks reported operational many institutions. Technological losses of $15 billion in 2004, surpassing advances, including growth in e-banking the previous high of $5 billion in losses transactions, automation, and other reported by 17 institutions in 2002. related business applications also present Losses associated with operational risk new and potentially heightened expo- events can be large. Some well-known sures from an operational risk standpoint. examples are the collapse of Barings Available data support the idea that Bank due to fraudulent trading and the banks’ operational environments are substantial legal settlements entered into getting riskier. Chart 1 depicts data by Citigroup and JPMorgan Chase with gleaned from the 2004 Loss Data Collec- regard to the Enron and WorldCom tion Exercise (LDCE)3 conducted in matters. The business disruptions and preparation for the U.S. implementation financial impacts resulting from Hurri- of the Basel II capital framework. Despite cane Katrina and the September 11 certain inherent limitations in the data, terrorist attacks also exemplify how such as differences in data availability major, unforeseen events can materially among the reporting banks and improve- affect a bank’s operations. 3 The 2004 LDCE was a voluntary survey that asked respondents to provide data on individual operational losses through June or September 2004 to enable the banking agencies to assess the potential impact of Basel II on capital for U.S. banking organizations. The results of the survey can be found at www.bos.frb.org/bankinfo/qau/pd051205.pdf and www.bos.frb.org/bankinfo/conevent/oprisk2005/defontnouvelle.pdf. Additional information regarding the LDCE is at www.ffiec.gov/ldce. 5 Supervisory Insights Summer 2006 Operational Risk continued from pg. 5 Chart 1 Available Data Suggest Riskier Operational Environment [Operational Losses — Frequency and Severity] 20,000 24 Total # of Losses (Left hand scale) Total Loss Amount ($M, left hand scale) 15,000 # of Firms Reporting (Right hand scale) 18 10,000 12 5,000 6 0 0 Pre-1999 1999 2000 2001 2002 2003 2004 Source: 2004 Loss Data Collection Exercise3 to promote a natural segmentation of Controlling Operational Risk risk awareness, because risks are catego- Traditional ORM practices, which most rized along functional lines. This banks employ today, rely on internal approach can create significant opera- processes, audit programs, and insur- tional risks if management fails to 5 ance protection to counterbalance opera- consider end-to-end processes. tional risk. They are based largely on the More recent ORM practices are assumption that intelligent, educated founded on the view that intuition alone people can, through their intuition, iden- is not sufficient to drive the ORM tify their organization’s significant risks, process. In this view, ORM practices corresponding controls, and associated must extend to quantitative measure- 4 metrics. In such environments, business ment, including historical loss data, lines manage their operational risks as formal risk assessments, statistical analy- they see fit (using a “silo approach”) sis, and independent evaluation.6 with little or no formality or process transparency. A common framework at the largest U.S. banks combines the traditional silo Some larger banks have gone beyond approach with an enterprise-wide over- the silo approach by establishing central- sight function. The enterprise-wide (or ized departments or groups responsible corporate) function designs and imple- for focusing on particular segments of ments the bank’s ORM framework, operational risk, such as operating which serves as the structure to identify, processes, compliance, fraud, business measure, monitor, and control or miti- continuity, or vendor management/ gate operational risk. The framework is outsourcing. While this evolution has defined by the risk tolerance determined improved overall risk awareness, it tends by the board of directors, as well as the 4 Ali Samad-Khan, “Fundamental Issues in OpRisk Management,” OpRisk & Compliance, February 2006. 5 Eric Holmquist, “Scaling Op Risk Management for SMIs: How to Avoid Boundary Disputes,” OpRisk & Compliance, January 2006. 6 Ali Samad-Khan, “Fundamental Issues in OpRisk Management.” 6 Supervisory Insights Summer 2006 formal operational risk policies outlining • Assist in evaluating the adequacy of roles and responsibilities, data standards, capital in relation to the bank’s overall risk assessment processes, reporting risk profile standards, and a quantification method- • Enhance risk management efforts by ology.7 Business line managers continue providing a common framework for to “own the risk,” but risks are identified managing the risk through formal self-assessments.